# IAM Profile Conformance

Executable checks for `canon/standards/iam-profile_v0.2.md`.

Runtime dependency: Python 3.11+ with `cryptography`. Fixture tests also
require `pytest`.

Run a full check against a real issuer with a freshly minted access token:

```bash
python3 tools/iam-profile-conformance/iam_profile_conformance.py \
  --issuer https://id.example.net/realms/platform \
  --audience my-service \
  --access-token "$(cat token.jwt)" \
  --client-id iam-profile-conformance \
  --redirect-uri http://localhost/callback \
  --environment production
```

The PKCE probe sends an authorization request without a
`code_challenge`; a conforming issuer rejects it. Use a dedicated public
test client for this check.

For discovery-only smoke checks:

```bash
python3 tools/iam-profile-conformance/iam_profile_conformance.py \
  --issuer https://id.example.net/realms/platform \
  --audience my-service \
  --discovery-only \
  --skip-pkce-probe
```

Run fixture tests:

```bash
python3 -m pytest tools/iam-profile-conformance/tests
```